General Terms & Conditions of iKentoo

Version of May 25, 2018.

 

PREAMBLE

These General Terms and Conditions apply to all services provided by iKentoo.

They govern, as a matter of principle, the relations between iKentoo, its Customers and Third Parties, except in the case of express written derogations. They cancel and replace all oral or written agreements that may have been previously concluded between the parties in this respect.

 

ART. 1. DEFINITIONS

iKentoo”: iKentoo SA, a software publisher and service provider that develops a point of sale system.

Customer”: A person or legal entity that operates a commercial establishment and/or uses a service developed by iKentoo.

Consumer”: a person who is a customer of restaurants and/or catering services of the Customer.

Third Parties” All persons or legal entities who may be required to collaborate with iKentoo and/or the Customer.

Services”: All services developed and/or marketed by iKentoo.

Activation”: Activation of point of sale systems by iKentoo.

"Initial operation": Provision of the Service to the Customer after Activation.

Access”: Customer’s access to the services of iKentoo.

Network”: All the installations that provide the transmission and/or routing between the endpoints of this data network or telecommunication signals, as well as the exchange of information. Whether the network is internal, local, public, private or otherwise is irrelevant.

Server”: Computer system running the administration software, which controls access to the network and its resources.

Data”: Information of any kind, including financial data, text, images, sounds, videos, etc. transiting over the network and/or stored on a server.

Personal data”: Data enabling the direct or indirect identification of any individual including, where applicable, Customers, Third Parties or Consumers, in particular by reference to an identifier, such as  name, identification number, location data, online identifier, or one or more specific elements specific to its physical, physiological, genetic, psychic, economic, cultural or social identity.

Information System”: Any system used to create, send, receive, store or process data.

 

ART. 2. SERVICES OF iKentoo

iKentoo develops and/or provides services in the field of POS systems and IT.

These services are mainly: connectivity, rental of storage space (hosting), lease of computing power (server), development of applications and services associated with payment systems.

iKentoo pays particular attention to the quality and security of  its infrastructures, in particular by a resilient and redundant technical architecture, guaranteeing a high level of security and service availability. 

iKentoo strives to provide its customers with the most up-to-date technologies to continually improve the quality and availability of its services.

Within the scope of the current technical and operational possibilities, iKentoo provides additional services to those referred to above, to the extent that the Customer provides suitable facilities accordingly.

 

ART. 3. MAINTENANCE OF THE SYSTEM

iKentoo ensures proper maintenance of its system according to the state of the art. During opening hours, it repairs disturbances that fall within its sphere of influence, within an appropriate period of time, with the means reasonably available to it.

If iKentoo’s intervention is requested for a fault whose cause relates to an error or a failure of the Customer, the costs may be charged to the Customer.

 

ART. 4. SAFETY

iKentoo takes special care of security during the development and the provision of its Services. All transfers between the elements installed at the Customer and the iKentoo server(s) are encrypted. However, the Customer acknowledges that despite all the efforts of iKentoo, the use of the most modern technologies and the respect of safety standards, it is impossible to guarantee an absolute security and a flawless operation of the systems used.

iKentoo reserves the right to use other security features or to modify Customer’s identifications.

 

ART. 5. USE OF THIRD PARTIES

To meet its contractual obligations, iKentoo can use third parties at any time. In this case, they will be subject to the terms of these General Terms and Conditions, in particular as regards the respect of Customer’s data confidentiality and the respect of the legal obligations in terms of protection of Personal Data.

 

ART. 6. CUSTOMER’S OBLIGATIONS

Customer Setup

The Customer is responsible for the configuration of its information system. It undertakes, inter alia, to implement and maintain a computer network that provides a reliable connection between iKentoo system components (such as cash registers and printers), and between elements installed on the Customer’s Network and/or iKentoo Servers.

Passwords and responsibility for the use of access

The Customer is responsible for any damage that may result from the use of access data by third parties (including collaborators) other than the Third Parties instructed by iKentoo, as well as for the content of the information that the Customer itself or third parties (other than the third parties instructed by iKentoo) transmit or process through the iKentoo Services.

The Customer expressly undertakes to guarantee the confidentiality of the security elements, its username and password, and to protect these elements against misuse by unauthorized persons. In particular, the password must never be recorded without protection and accessible to third parties. In case of loss of password or username, the Customer must immediately contact iKentoo.

Business Customers must also ensure that their employees erase their usernames and passwords during important changes (e.g. departure or change of status in the company).

Systems Security

In order to use all iKentoo Services, the Customer must, throughout the term of the agreements with iKentoo, install all updates available on the App Store for the POS system, use the software and/or hardware versions recommended by iKentoo in accordance with the minimum requirements and update them whenever necessary.

The Customer undertakes to use software from trustworthy sources and to take all appropriate measures to protect itself from computer attacks. In particular, it must install the iKentoo app from the Apple App Store.

Access to iKentoo’s Services and the associated settings fall within the purview and are the responsibility of the Customer.

Customer Identification

The Customer undertakes to provide accurate data concerning its identity when registering for the iKentoo Service. In addition, the Customer is required to state either the name of its sign, or its commercial name on all tax documents generated by the iKentoo Service (receipts and reports).

Archiving

The Customer is required to regularly archive the reports generated using the iKentoo Service. iKentoo cannot be held responsible for the loss of Data in the event of a system breakdown or failure.

 

ART. 7. DELIVERY OF OBJECTS, RESERVATION OF PROPERTY, CLAIMS AND GUARANTEE

It is the Customer’s responsibility to verify, upon receipt at its premises, the condition and quantity of the equipment accompanied by the iKentoo packing slip and to claim the necessary reservations, if any, within forty-eight (48) hours after reception.

The items sent to the Customer remain the property of iKentoo until full payment of the agreed price and corresponding taxes. If the Customer is in default of payment, iKentoo is entitled, after a summons, to demand the return of objects at the Customer’s expense.

The collection system guarantee is only valid in the cases where interventions and/or repairs are made by iKentoo and/or the manufacturer. When the item purchased is defective, the manufacturer’s warranty shall apply. Any other claim is expressly excluded.

However, iKentoo cannot guarantee:

  • smooth operation and possible disruption of software delivered by publishers other than iKentoo. Customer must refer to separate agreements and licenses with publishers other than iKentoo;
  • files corrupted and/or lost in case of force majeure;
  • temporary disruption of availability during data backup and restore;
  • continuity of the Internet connection;
  • third-party access to data due to security breaches in the Customer’s information system;
  • third-party access to data in case of breach of the Customer’s duty of care (see ART. 6. CUSTOMER’S OBLIGATIONS) regarding access data;
  • loss of encryption data;
  • backup of log data, statistical data, data generated or updated by users of the Customer’s information system;
  • manipulation of configuration files, or financial reports.

 

ART. 8. RATES

Rates can be obtained from iKentoo. iKentoo reserves the right to modify them at any time.

 

ART. 9. BILLING AND PAYMENT

General

The Customer agrees to pay the amount invoiced no later than the due date mentioned on the invoice.

During the payment period, the Customer may challenge the invoice in writing, stating the reasons. However, it remains obliged to pay the invoice within the time limit. After this period, the invoice is accepted without reserve.

Late Payment

In case of failure to pay within the time limit, the Customer is in default and no reminder needs to be sent. iKentoo reserves the right to charge a reminder fee.

Guarantee

iKentoo reserves the right to require a pre-payment and/or a guarantee.

Guarantees in the form of a cash deposit are remunerated at the interest rate of savings accounts. iKentoo may offset all claims against the Customer with the guarantees provided.

Compensation

Customers do not have the right to offset iKentoo’s claims with any counterclaims.

 

ART. 10. START, TERMINATION AND SUSPENSION OF SERVICES

Start

The Service takes effect at the time of Activation and/or Initial Operation. To activate and/or perform the initial operation, the Customer must send a request by e-mail to support@ikentoo.com  which will confirm the switch to production mode. Once this confirmation has been received, the Customer will be able to carry out real transactions.

Termination

Subscription may be terminated in writing with thirty (30) days notice prior to the end of the current billing period.

In the presence of evidence based on use or access contrary to the agreement and/or the law, the report of such use by a competent authority or its finding by a judgment having force of res judicata, iKentoo may require a law-compliant use from the Customer or terminate the agreement without notice and without compensation and may claim damages, as the case may be.

Suspension of Service by the Customer

Should the Customer not use the Service it may suspend the subscription based on a fifteen (15) days’ notice before the beginning of the first month of suspension. The duration of the suspension must be at least two (2) months, and the total suspended months may not exceed nine (9) months per calendar year. iKentoo reserves the right to charge suspension and/or reactivation fees. If the Customer wishes to continue to use the Back-Office access while the subscription is suspended, a monthly fee shall be billed for this service.

Suspension in case of non-payment

If the Customer does not pay its invoices after the first reminder, iKentoo may immediately suspend the provision of Services without notice and without compensation. In this case, the Customer will also be required to grant iKentoo access to the devices used, in order to uninstall them. In the absence of payment of the corresponding invoice within thirty (30) days following the suspension of services by iKentoo, the Customer is made aware of the backup, transfer, copy and destruction processes of its data. (See ART. 11. SAFEGUARD, COPY AND DESTRUCTION OF DATA). Return to service following a suspension is subject to a fee and may take 2 to 3 days. Return to service charges must be paid beforehand.

 

ART. 11. BACKUP, COPY AND DESTRUCTION OF DATA

The Customer assumes full responsibility for the consequences related to the content and management of its Data, subject to the provisions of Article 14 PROTECTION OF PERSONAL DATA below.

Upon the termination or at the end of a Service of iKentoo, the Customer authorizes, without prejudice to the Customer’s prior non-recovery of Data, the destruction thereof, subject to the provisions of Article 14 PROTECTION OF PERSONAL DATA below.

 

ART. 12. RESPONSIBILITY OF iKentoo

iKentoo pays particular attention to the quality and security of its infrastructures, in particular by a resilient and redundant technical architecture, guaranteeing a high level of security and Service availability. However, iKentoo excludes any responsibility to the extent that the applicable law authorizes it, in particular, but not exclusively, for disturbances, corruptions and losses of Data and subsequent damage or loss of profits. iKentoo can only be held responsible for gross negligence and willful misconduct which caused a prejudice to the Customer. This liability provision prevails over any other contractual provision. iKentoo assumes no liability for damages resulting from improper use of the Services, in particular for damages attributable to non-compliance with the Customer’s duty of care or with the applicable law. To the extent permitted by the applicable law, iKentoo does not guarantee permanent access, breakdown-free operation, nor the accuracy and integrity of Data transmitted or downloaded.

iKentoo assumes no liability for any damage suffered by the Customer as a result of transmission errors, data corruption (including Personal Data), interruptions, failures  or unlawful intrusions into the information systems, to the extent that such errors, corruptions, interruptions, failures or illegal intrusions are not due to iKentoo of to Third Parties acting on its behalf.

iKentoo reserves the right to terminate the Services at any time in case of security risks without having to explain the reasons for this interruption.

To the extent permitted by the law, iKentoo assumes no liability for damages caused by such interruptions.

 

ART. 13. FORCE MAJEURE

Are regarded as cases of force majeure, besides those usually upheld by the case-law of the Swiss Courts and Tribunals, in particular the total or partial strikes, either internal or external to the company, lock-outs, bad weather, blockages of the transportation means or of the supply means for any reason whatsoever, earthquake, fire, storm, flood, water damage, government or legal restrictions, blockages of telecommunications networks, power outages, appearance of viruses, loss or corruption of Data (including Personal Data), and other cases beyond the control of iKentoo that prevent the normal performance of the Services.

Contractual obligations will be suspended in the cases listed above.

 

ART. 14. PROTECTION OF PERSONAL DATA

14.1 Processing of Personal Data of Customers by iKentoo as Data Controller

iKentoo undertakes to process the Personal Data of its Customers carefully and to comply with the applicable regulations regarding the processing of personal data, including the Swiss law rules on the protection of personal data and the Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) and the subsidiary rules of the EU Member State where the Customer is domiciled, made pursuant to the GDPR (the GDPR and these subsidiary rules being hereinafter referred to as then “Applicable European Regulation”).

In accordance with the Applicable European Regulations, iKentoo is responsible for the processing of Personal Data relating to the Customers, collected in connection with the execution of the Services. iKentoo only captures, records and processes the data required for the following purposes: fulfillment of its contractual obligations and provision of the Services, monitoring the customer relationship, guarantee of a high quality of Services, security of the operation of Services and the associated infrastructure, as well as for the billing of the Services price.

The Personal Data will be retained during the execution of this Agreement with the Customer and the rights associated therewith. Some of the Personal Data will also be stored by iKentoo within the time frame imposed by the applicable law to fulfill its legal obligations.

The use of Customer Data including Personal Data is required to enable iKentoo to provide optimal service.

Non-personal Data of the Customer, such as the technical logs, can be automatically memorized and kept due to the technical process applied and in accordance with the legislation in force.

iKentoo undertakes to implement all appropriate technical and organizational measures and guarantees so that the processing of the Customer’s Personal Data carried out in connection with the Services comply with the requirements of the Applicable European Regulations and with the aforementioned Federal Law. This concerns in a non-limiting way, the security of the Personal Data (including their confidentiality and their integrity), the minimization of their treatment, the limitation of their conservation to the duration authorized by the law and the respect of the rules in terms of transfers of Personal Data outside the European Union.

For the purposes of performing the Services, iKentoo may transfer Customer’s Personal Data to third-party sub-processors that provide support services, such as technology service providers (hosting providers).

Some of these providers may be outside the European Union. In this case and prior to the transfer of the concerned Personal Data outside the European Union, iKentoo will implement any procedure required to obtain the necessary guarantees to secure such transfers.

The Customer ensures that the Personal Data provided to iKentoo is accurate and up-to-date, and undertakes to communicate to iKentoo any changes or modifications in this regard, as soon as possible.

In accordance with the Applicable European Regulations, and within the limits it provides, in what concerns his/her Personal Data, the Customer has a right of access, rectification, deletion, portability and opposition, limitation and appeal before any competent authority. These rights can be exercised by sending an e-mail to the following address: privacy@ikentoo.com or a simple letter to the address of iKentoo’s registered office. All requests must be accompanied by a photocopy of an identity card bearing the Customer's signature, as well as the address to which iKentoo’s reply must be sent. A reply will be sent within one (1) month of receiving the request, it being specified that this period may be extended by one (1) month depending on the complexity and the number of requests.

14.2 Processing of Consumers’ Personal Data by iKentoo as Customer’s Sub-processor

In addition, as part of the performance of the Services, iKentoo may process, on behalf of the Customer, the Personal Data of the Customer’s Consumers and thus act, within the meaning of applicable law, as a sub-processor of the Customer.

For this purpose and in connection with this subcontracting of Personal Data processing, the rules contained in APPENDIX 1 of these General Conditions shall apply in the context of the present relations between iKentoo and the Customer.

14.3 Prevalence of legal regimes

With regard to the protection of the personal data of Customers and Consumers located in the European Union, in case of contradiction between the Swiss law rules on the protection of personal data, on the one hand, and the Applicable European Regulations, on the other hand, the Applicable European Regulations will prevail.

 

ART. 15. CONFIDENTIALITY

iKentoo will assure the preservation of information entrusted to it by the Customer and that such information shall be considered confidential and treated with discretion. However, the Customer undertakes to keep a copy of all the documents entrusted to iKentoo.

In all cases, the data relating to transactions performed by the collection system, as well as the compositions of these data (reports, cash books, etc.) are processed in confidence and kept within the iKentoo company.

The content of the receipts issued by the device is an exception to this rule, since it can be transmitted to the user who identifies him/herself as entitled to the receipt, to allow for example the edition of a duplicate receipt, in paper or dematerialized form. However, iKentoo undertakes not to transmit more than one receipt at a time, and only to the user who can prove to be the holder of the receipt, either in paper form or in a dematerialized form (by scanning a barcode or a QR-code).

iKentoo uses the information that the Customer authorizes it to use for the Services and functions that iKentoo provides to the Customer and other users, such as its partners, advertisers who purchase advertisements and developers who design the applications and the websites that the Customer uses. For example, iKentoo can use the information it receives about the Customer:

  • as part of its efforts to maintain the security of products, services and integrations of iKentoo;
  • to protect the rights and properties of iKentoo as those of other users;
  • to measure and understand the effectiveness of the ads we display;
  • for internal operations, including troubleshooting, data analysis, testing, search and improvement of the Services.

This permission granted by the Customer to iKentoo allows not only to offer the iKentoo application in its current version, but also to provide the Customer with innovative services that will be developed in the future and that will use the received information in a new way.

The Customer will always remain the owner of the information received by iKentoo, even if the latter is authorized to use it. iKentoo shares information about the Customer with third parties, in the case where:

  • iKentoo has received authorization from the Customer;
  • iKentoo has informed the Customer, for example by informing them of this policy; or
  • iKentoo has removed the name of the Customer or any other Personal Data that allows its identification.

The Customer acknowledges that all written and verbal information relating to iKentoo’s know-how is the product of original creative efforts and is confidential. Consequently, the Customer undertakes not to use it for his own account and not to disclose it outside the needs of the use of the Services.

 

ART. 16. INTELLECTUAL PROPERTY

Throughout the term of the Agreement, iKentoo grants the Customer a non-transferable and non-exclusive right to use the Services made available to it under these General Terms and Conditions and other contractual provisions. All intellectual property rights remain the property of iKentoo or the licensor.

The Customer undertakes to inform iKentoo of any infringement of these intellectual property rights by third parties, as soon as it becomes aware of the same.

 

ART. 17. NON-SOLICITATION OF PERSONNEL

The Customer undertakes not to engage directly or through any intermediary without the written consent of iKentoo any collaborator of iKentoo or a company of its group.

This waiver is valid for the duration of the agreements, plus an additional period of twelve (12) months.

In the event of non-compliance, the Customer shall compensate iKentoo by paying a lump sum equal to the gross fees or wages that the employee has received from iKentoo during the year preceding his/her departure.

 

ART. 18. WAIVER

The fact that one of the Parties has not required the application of any clause of these General Terms and Conditions, whether permanently or temporarily, may in no way be considered as a waiver of the rights of this party arising from such clause.

 

ART. 19. AMENDMENTS TO THE GENERAL TERMS AND CONDITIONS OR THE SERVICES

iKentoo reserves the right to modify at any time the scope of its services or to stop a Service and to adapt the conditions of participation to a Service at any time. In this case, it will inform the Customer accordingly.

In the event of changes in tax and tax rates (especially VAT), iKentoo will be allowed to adjust its rates accordingly.

 

ART. 20. TRANSFERS OF RIGHTS OR OBLIGATIONS BY IKENTOO

Except with the prior approval of iKentoo, the Customer is not authorized to transfer to others rights and obligations arising from these General Terms and Conditions or from agreements.

 

ART. 21. TRANSLATIONS

In case of translation of the General Terms and Conditions the French version will prevail.

 

ART. 22. JURISDICTION AND GOVERNING LAW

These General Terms and Conditions are subject to the Swiss law.

In the absence of an amicable settlement, notified by one of the parties to the other, any dispute shall be brought before the competent court of Geneva.

 


 

 

APPENDIX 1 - PROTECTION OF CONSUMERS’ PERSONAL DATA

 

I.         In connection with the performance of the Services, it is agreed that iKentoo is authorized to process Personal Data on behalf of the Customer.

These Personal Data processing (hereinafter referred to as the “Processing”) have the following characteristics:

        i.         Concerned Services: IT services for the provision of POS systems, rental of storage space (hosting), rental of computing power (server), provision of applications and associated services including maintenance.

       ii.         Nature of Processing made on the Personal Data: transfer, hosting, preservation, structuring, consultation, extraction, exclusion, and any other action required for the accomplishment of the Processing purposes on behalf of the Customer.

      iii.         Processing purpose(s): provision of the Services to the Customer so that it can provide its catering services to Consumers.

      iv.         Types of concerned individuals: the Consumers.

       v.         Types of Personal Data covered by this Annex and whose processing is subcontracted to iKentoo (hereinafter referred to as the “Consumers’ Personal Data”): identification data (surname/first name, phone number, e-mail address, date of birth, postal address), information on consumption and purchases, billing data or means of payment including credit card type, connection data (IP address, logs, etc.), history of the relationship between the Consumer and the Customer.

      vi.         Duration of Processing/retention period of the Personal Data: the duration of this agreement.

     vii.         Personal Data made available to iKentoo by the Customer for the performance of the Services: name and surname of the individual in charge of the Customer’s company, identification number (e.g. SIRET), VAT number, address of the place(s) of business, billing address, telephone number, e-mail address and/or any other data that iKentoo deems necessary for the performance of the agreement, as such other data will be indicated by iKentoo to the Customer.

For the purposes of the Applicable European Regulations, the Customer is the Controller of the Consumers’ Personal Data. iKentoo, in turn, acts as a Sub-processor. This Annex does not constitute a waiver of iKentoo’s status as a controller for its other activities involving the processing of Personal Data relating to the Customer and its use of the iKentoo Services.

II.         iKentoo shall act in accordance with the terms of the agreement concluded with the Customer, as well as all the provisions of the Applicable European Regulations regarding personal data.

The Customer must also respect the Applicable European Regulations and commits to iKentoo in this respect.

III.         iKentoo shall act exclusively on the documented instructions of the Customer, including in particular regarding the transfer of Consumers’ Personal Data to a country outside the European Union or to an international organization (subject to the implementation of iKentoo’s legal obligations which iKentoo will then have to inform the Customer in writing in advance, unless the right concerned prohibits such information for important reasons of public interest).

If iKentoo considers that an instruction of the Customer regarding the processing of the Personal Data of the Consumers constitutes a violation of the Applicable European Regulations, it needs to immediately inform the Customer.

IV.         Subcontracting to a third party

iKentoo may use one or more other sub-processors to conduct certain processing activities on its behalf, provided this has been expressly authorized by the Customer. Thus, iKentoo must first inform the Customer of any recourse to a sub-processor by clearly indicating the subcontracted processing activity(ies), the identity and contact details of the sub-processor and the dates of the sub-processing contracts, thereby giving the Customer the opportunity to object to the choice of the provider. The Customer may oppose such information within thirty (30) days from the date of receipt. In the absence of an opposition within this period, the agreement of the Customer will be deemed acquired.

In case of objection by the Customer, iKentoo may:

  • waive the use of said sub-processor,
  • take the corrective measures requested by the Customer.

The Customer already recognizes that iKentoo may use the following sub-processors:

Amazon Web Services:

                      i.         Name, Commercial Register no., share capital, registered office: Amazon Web Services Ireland Limited, One Burlington Plaza, Burlington Road, Dublin 4, Ireland.

                     ii.         Date and term of the sub-processing contract: 04.11.2011-present.

                    iii.         Sub-processing service(s)/purpose of the contract: rental of storage space (hosting), rental of computing power (server).

                    iv.         Nature of Processing performed on the Consumers’ Personal Data in the framework of subcontracting: hosting.

                     v.         Processing purpose(s): provision of the Services to the Customer so that it can provide its catering services to Consumers.

                    vi.         Types of concerned individuals: the Consumers.

                   vii.         Types of Personal Data of the concerned Consumers: identification data (surname/first name, phone number, e-mail address, date of birth, postal address), information on consumption and purchases, billing data or means of payment including credit card type, connection data (IP address, logs, etc.), history of the relationship between the Consumer and the Customer.

                  viii.         Duration of Processing/Retention of the Consumers’ Personal Data: length of the current contract.

                    ix.         Information made available to the sub-processor by iKentoo for the performance of subcontracted services: name and surname of the individual in charge of the Customer’s company, identification number (e.g. SIRET), VAT number, address of the place(s) of business, billing address, telephone number, e-mail address and/or any other data that iKentoo deems necessary for the performance of the agreement, as such other data will be indicated by iKentoo to the Customer.

iKentoo needs to include all the obligations provided herein in its contract with each of its authorized sub-processors that have access to the Consumers’ Personal Data and the vocation to process the same, and such sub-processors must comply with the same. This will apply, in particular, to sufficient guarantees to be presented as to the implementation of appropriate technical and organizational measures to ensure that the Processing meet the requirements of the Applicable European Regulations.

Without prejudice to the other terms of the agreement with the Customer, when a sub-processor of iKentoo does not fulfill its obligations regarding the protection of personal data, iKentoo, as a Processor, will remain fully liable, in particular to the Customer, for the damages that may result.

V.         iKentoo undertakes to take all the technical and organizational measures required by Article 32 of the GDPR throughout the execution of the Services. In particular, iKentoo shall comply with the obligations listed below and enforce them by its staff and by its duly authorized sub-processors: 

a)      guarantee the confidentiality of the personal data processed in connection with the Services and ensure that the persons authorized to Process these Personal Data hereunder undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;

b)      taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purpose of the Processing, as well as the risks, whose degree of probability and severity varies, for the rights and the freedoms of individuals, implement the appropriate technical and organizational measures to ensure a level of security of the Consumers’ Personal Data adapted to the risk, including, inter alia, according to the needs: (i) the pseudonymization and the encryption of the said Personal Data, (ii) ways to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services; (iii) means to restore the availability of the Consumers’ Personal Data and access to them in a timely manner in the event of a physical or technical incident; iKentoo will also implement a procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the safety of Processing;

when assessing the appropriate level of security, account shall be taken in particular of the risks of the Processing, which may result from the destruction, loss, alteration, unauthorized disclosure of the Consumer’s Personal Data transmitted, retained or otherwise processed, or unauthorized access to such data, occurring accidentally or unlawfully;

c)      inform the Customer of any request for information or investigation of a data protection authority concerning the execution of the agreement or the Customer, which would be notified to iKentoo;

d)      inform the Customer, as soon as possible after iKentoo becomes aware of it, in case of violation of the Consumers’ Personal Data, by sending the Customer an e-mail to the e-mail address used by the Customer as identifier to connect to the Services or by any other appropriate means. Such notification occurs when there is a violation of the Consumers’ Personal Data, regardless of the associated risk. The risk assessment is the responsibility of the Customer. This notification must be accompanied by any useful documentation to enable the Customer, if necessary, to notify this violation to the protection authority and to the data subjects;

e)      assist the Customer, through appropriate technical and organizational measures, to the maximum extent possible, to fulfill its obligation to inform the data subjects and to respond to the requests sent by the data subjects to iKentoo, as the case may be, to exercise their rights under the applicable law; it will be up to the Customer to provide this information to the data subjects on the date provided for by the applicable law, as well as to manage these persons’ requests for the exercise of rights;

f)       more generally, to help the Customer ensure compliance with the obligations provided for by the applicable law for carrying out impact assessments relating to the protection of Personal Data, for the prior consultation of the supervisory authority, the notification to the control authority and, where appropriate, the communication to the data subject of a personal data breach, as well as of the security breach of the processing, taking into account the nature of Processing and the information available to iKentoo;

g)      make available to the Customer all the information necessary to demonstrate compliance with the obligations provided for by the applicable law and allow audits to be carried out, including inspections, by the Customer or another auditor appointed by the same, and to contribute to these audits; iKentoo immediately informs the Customer if, in its opinion, an instruction constitutes a violation of the Applicable European Regulations.

h)      keep a record of the Processing made on behalf of the Customer, including in particular a detailed description of the following:

  • the name and contact details of the controller on whose behalf it is acting, of all of its subsequent sub-processors, if any, acting on behalf of iKentoo as part of the Services and the Data Protection officer (“DPO” hereinafter) acting for the account of iKentoo in cases where such a DPO has been appointed;
  • the categories of Processing of the Customers’ Personal Data made by iKentoo on behalf of the Customer as part of the Services and the different categories of Consumers’ Personal Data thus processed, including “sensitive” Personal Data within the meaning of the Applicable European Regulations;
  • where applicable, the transfer of Consumers’ Personal Data to a third country or to an international organization, the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1), second paragraph of the GDPR (transfer of data to a country which does not provide an adequate level of protection under the European Union law, then limited to certain conditions/circumstances), documents proving the existence of appropriate guarantees;
  • a description of the technical and organizational security measures taken by iKentoo and how they are implemented and, if necessary, updated throughout the execution of the Services;

i)       upon the end of the agreement concluded with the Customer, proceed, according to the Customer’s choice, to the return to the Customer and/or the destruction of any files, manual or computerized that store the Consumers’ Personal Data and are in the possession of iKentoo, with the exception of any retention that would be required by the applicable law.

VI.         The Customer undertakes to:

  • issue to iKentoo the description of the Processing that is the subject of the sub-processing described above;
  • document in writing all instructions for Consumers’ Personal Data Processing by iKentoo;
  • ensure compliance with the obligations laid down by the Applicable European Regulations, before and during Processing; and
  • supervise Processing, including perform audits and inspections with iKentoo through a competent third party organization.